Liz Giannopoulos

BA (Hons) Music, CT ABRSM, DipABRSM, LTCL

Preparing for the General Data Protection Regulation

(GDPR) – a Piano Teacher’s Perspective.
Liz Giannopoulos, March 2018

The new General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. For
many private music tutors this is already causing uncertainty and confusion. The summary that
follows is the outcome of the research I have completed and steps I have taken to ensure that my
piano school is compliant with the new legislation.

Whilst GDPR is causing frustration amongst many, as I researched and explored its implications I
came to realise that the new regulations make a lot of sense. The Data Protection Act was written in
1998. At that time, most of us didn’t have a mobile phone, an ipad or even a laptop. I had a brick of a
computer at home with a dial-up modem that used my phone line. We used cheque books, instead
of online banking. We went to the shops instead of ordering shopping online and booked our
holidays through a high street travel agent. Cameras contained a roll of film that had to be
developed. In the digital age we should be demanding the very highest protection of our personal
data and we have a duty to provide that protection to our clients.

The most useful source of information was the Information Commissioner’s Office (ICO). There is
also plenty of information and advice available through the Federaton of Small Businesses.

The ICO has developed a 12 step checklist of actions you can take to prepare for GDPR. According to
the ICO “Many of the GDPR’s main concepts and principles are much the same as those in the
current Data Protection Act (DPA)” so if you are compliant with current DPA legislation you have a
good foundation on which to build. If you haven’t yet looked at the Data Protection Act, it’s worth
understanding the eight principles of data protection.

That said, there are some significant differences including a greater emphasis on data controllers’
documentation to demonstrate accountability. Not everything on the ICO checklist is relevant in our
line of work; this document focusses on those areas that we do need to address.
1) Some useful definitions – and what it means for music teachers
There’s a lot of jargon flying about at the moment – I’ve tried to disseminate it into something we
can easily understand.
The ICO definition
PERSONAL DATA “means data which relate to a
living individual who can be identified –
(a) from those data, or
(b) from those data and other information
which is in the possession of, or is likely to come
into the possession of, the data controller, and
includes any expression of opinion about the
individual and any indication of the intentions
of the data controller or any other person in
respect of the individual.”
A DATA CONTROLLER is any individual or
organisation who determines the purpose for
which and the manner in which personal data is
processed.
A DATA PROCESSOR is any individual or
organisation who processes data on behalf of
the data controller. It’s important to
understand that “processing” means doing any
of the following with personal information:
• obtaining it
• recording it
• storing it
• updating it
• sharing it
• erasing it
In short, “processing” is a broad definition and
any personal data you gather, store or provide
to a third party will be covered.
What this means for music teachers
We need to consider what data we hold about
our students, their parents and any relevant
staff or associates. The list of personal data we
could process includes (but is not limited to):
• addresses
• phone numbers
• email addresses
• date of birth
• health information
• photographs
• videos
• academic records
Here are two illustrative – and real life -
examples:
I obtain the date of birth (personal information)
of my student (data subject).
I (data controller) store it and decide to send it
to the exam board (data processor) as part of
their exam entry.
I obtain the bank details (personal information)
of my student’s parents (data subjects).
I (data controller) store it and decide to sent it
to my Direct Debit Collection agency (data
processor) to ensure I am recompensed for my
work.
2) Do you need to register?
The best way to find out if you need to register is to compete the ICO’s self-assessment
questionnaire. In summary, if you are a sole trader or organisation making profit in the education
sector and you make decisions about how the personal data of your students is processed
electronically, you are required to register.

There is a mis-conception that if you don’t store information on a computer then you do not need to
register. However, if you store phone numbers on a smartphone or use a digital camera or other
recording device, this is covered under the term “processing data electronically”.

IMMEDIATE ACTION LONG-TERM PLAN

• Complete the self-assessment questionnaire • Even if you do not need to register with ICO,
at https://ico.org.uk/for- it is important to adhere to the principles of
organisations/register/self-assessment/ the DPA

3) Data Tracking
We need to document the personal data we hold, where it came from and who we share it with.
This is important because – under GDPR - if we have shared inaccurate information, it is our
responsibility to inform the other organisation about the error so they can correct their records. We
don’t need to publish this document but we do need to keep it up to date.

Another important addition to GDPR is that data subjects have the right to erasure. That means they
can ask you to delete all records of their data and you need to be able to comply.

Figure 1 shows a data tracking flowchart that I’ve compiled to help me to understand the flow of
data within my business.

IMMEDIATE ACTION LONG-TERM PLAN

• Create a data tracking flowchart to • Schedule a regular review of the data
understand from where the information tracking flowchart to quickly capture any
was obtained and with whom it has been changes
(or will be) shared
Figure 1: Data tracking flowchart

Source: Shared with:

Student Registration Address, phone number, email address Associate Tutors

Forms (from website) via timetables

Shared with:
Address, phone number, email address Accounting
software provider

Shared with:
Email address Direct e-mailing
software provider

Shared with:
Date of birth Exam board

Source: Shared with:

Address, email, bank details Direct debit

Direct Debit mandate
collection agency

Source: Shared with:

Email address, phone number
Tutor CV Students’ parents
4) Fair Processing Notice or Privacy Notice
All data subjects (ie people about whom we hold personal data) have to be supplied with a Fair
Processing Notice or Privacy Notice. The ICO provides a Privacy Notices Code of Practice which
reflects the requirements of the new GDPR and includes examples of Privacy Notices (both good and
bad). The code is aimed at organisations that collect information about people. The data subjects
include students and their parents and tutors who work with us.

This notice should include:

• who you are

• what you need
• why you need it
• what you do with it
• how long you keep it
• what you would also like to do with it.

A draft of what I intend to use can be found at Figure 2.

IMMEDIATE ACTION LONG-TERM PLAN

• Send the Privacy Notice to all existing
students (or their parent/guardian) and
employees/associates and requiring a
signature to confirm receipt.
• Include the Privacy Notice on all registration
forms and contractual documents with
prospective students (or their
parent/guardian) and employees/associates
including a tick box to indicate they have
read, understood and agree to it.
Figure 2: Privacy Notice

Your Personal Data

Encore Music Tuition Ltd will be what is known as the ‘Controller’ of the personal data you provide
to us. Our company registration is 123456789 and our address is: 1, The Street, London

What we need
Unless otherwise agreed with you, we will only collect basic personal data about you and your child.
This information includes your name, home address, email address, bank details and your child’s
date of birth.

Why we need it
We need to know basic personal data in order to provide you with the services you have engaged us
to provide, and to assert our right to be recompensed in return for these services as per the
agreement we have with you. We will not collect any personal data from you that we do not need in
order to provide and oversee the services we have agreed to provide you with.

What we do with it
All the personal data we hold about you will be processed by the Encore Music team in the UK. The
information is also shared with the following third party organisations:

• Accounting Software company

• Email campaign company
• Direct Debit company
• Examination board

No other third parties will have access to your personal data unless there is a legal obligation for us
to provide it. We will take all reasonable steps to ensure that your personal data is processed
securely.

How long we keep it

We will generally keep your personal data for a minimum of 6 years, after which time it will be
destroyed if it is no longer required for the lawful purpose(s) for which it was obtained. If you
consent to marketing, any information we use for this purpose will be kept with us until you notify
us that you no longer wish to receive this information.

What we would also like to do with it

We would like to send you information about our services, by telephone, email and SMS. Please note
that if you consent to being sent our information via email then your data will be shared with the
third party organisation MailChimp who will make contact on our behalf. If you agree to being
contacted this way, please tick the relevant boxes:

Email Phone SMS

5) Consent
Data must be processed lawfully which means you must meet one of the following criteria:

• have acquired consent from the individual

• it must be necessary for the performance of the contract
• it must be necessary for compliance with a legal obligation
• it must be necessary for the establishment of defence of legal claims.

Clearly the legal obligations and legal claims are unlikely to apply to music teachers. And it is possible
that the necessity of processing personal data could be open to debate. This leaves us with consent.

In brief, consent must be a positive opt-in and cannot be assumed as a result of a pre-ticked box or
lack of response. It also has to be separate from other terms and conditions and it needs to be easy
for people to withdraw their consent. Consent must be specific, granular, clear, prominent, opt-in,
properly documented and easily withdrawn. If it’s not, new GDPR-compliant consent is needed –
including for our existing contacts and clients. It’s worth looking at the ICO’s consent checklist and
detailed guidance.

I recently received a request from the Duke of Edinburgh Award Scheme to opt-in to their mailing list
and I know that this is an area that I need to address. For my client mailing list, I need the parents of
all students to be actively subscribed so they receive essential information such as term dates,
concert schedules and other notices. For my wider mailing list, which includes teachers I have met at
conferences, prospective students and the like I need to retrospectively ask them to opt-in to the
mailing list going forwards.

Currently, I obtain consent for recording, filming and photographs to be taken and also seek
individual permission to publish those photographs as required. However, the consent does not
comply with new GDPR for the following reasons:

a) The opt-in is not separate from other terms and conditions

b) There is no mechanism for withdrawal of consent
c) How the photographs or recordings will be used is not specific

IMMEDIATE ACTION LONG-TERM PLAN

• Ask all existing students (or their parent/
guardian as appropriate) and associate
tutors to give consent for recording, filming
and photographs to be taken and used for
record keeping and celebrating success, or
professional development purposes which
may include the publication on the website
or social media
• Revise the client contract, tutor contract,
and all registration forms to include a
specific opt-in giving consent to the taking
and publication of images. The agreements
will also include instructions about how to
withdraw consent.

• Scrutinise websites and social media

accounts to ensure that appropriate
consent has been obtained and accurately
recorded
6) Children
The ICO recommends that organisations implement systems to obtain parental or guardian consent
for data processing. For private teachers with a significant ‘under-age’ cohort this is likely to be our
primary focus. However, GDPR currently states that children can give their own consent at the age of
16 and we may need to put processes in place by which we seek consent from the student when
they ‘come of age’.

IMMEDIATE ACTION LONG-TERM PLAN

• Review student list and address privacy • Implement a plan to flag students reaching
notice and consent documentation (see the age of 16 and issue consent
above) to all those over the age of 16. documentation them at that point.

7) Awareness
The ICO states that decision makers and key people in our organisation need to be aware that the
law is changing and understand the impact this is likely to have. If you are working as a sole tutor
you don’t need to worry about this, but if you are heading up a school you need to make sure the
rest of your team knows what they need to do.

IMMEDIATE ACTION LONG-TERM PLAN

• Write a briefing sheet and provide coaching
on what associate tutors need to do to be
compliant.

In communicating with existing students and their families, I think consistency is key. GDPR will be as
confusing for many of them as it is for us and it’s important to reassure them that the respect, care
and confidentiality with which we treat their personal data will not change. Quite simply, there is
more legislation with which we need to be compliant and their active opt-in will allow us to continue
operating as usual.

In summary, respecting and protecting the data of our students and their families is the right thing
to do. And with the threat of heavy fines for non-compliance (up to 4% of annual turnover or up to
£17M – whichever is greater) we have to be prepared for GDPR to come into effect on 25 May 2018.

[Disclaimer: Nothing in this article constitutes legal advice. Specialist advice should be taken in relation to specific circumstances. The
contents of this article are for general information purposes only. Whilst we endeavour to ensure that the information in this article is
correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. We shall not be
liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising from the use of, or inability to
use, this material, or from any action or decision taken as a result of using this material.]